Comparing Victims of Phishing and Malware Attacks: Unraveling Risk Factors and Possibilities for Situational Crime Prevention

This paper compares the risk factors for becoming a victim of two types of phishing: high-tech phishing (using malicious software) and low-tech phishing (using e-mails and telephone calls). These risk factors are linked to possibilities for situational crime prevention. Data from a cybercrime victim survey in the Netherlands (n=10,316) is used. Based on routine activity theory, the multivariate analyses include thirty variables. The findings show situational crime prevention has to be aimed at groups other than just the users themselves. Criminals are primarily interested in popular online places and the onus is on the owners of these virtual places to protect their visitors from getting infected.

💡 Research Summary

The study investigates the distinct risk profiles of two phishing modalities—high‑tech phishing that relies on malicious software (malware) and low‑tech phishing that uses email and telephone contacts—and links these profiles to situational crime prevention (SCP) measures. Using a large‑scale cyber‑crime victim survey from the Netherlands (n = 10,316), the authors apply routine activity theory (RAT) as a conceptual framework. They operationalise the three RAT elements—motivated offenders (offender suitability), suitable targets (target suitability), and capable guardians (guardianship)—through thirty explanatory variables, including demographic attributes (age, gender, education), digital‑literacy indicators, online behaviour patterns (frequency of site visits, types of platforms used), and technical safeguards (antivirus presence, two‑factor authentication, real‑time malware detection).

Multivariate logistic regression models are estimated separately for high‑tech and low‑tech phishing victimisation. The results reveal a clear divergence in the determinants of each phishing type. High‑tech phishing victims are disproportionately users of high‑traffic virtual venues such as large e‑commerce sites, social networking services, and public forums. Their personal security awareness is average, yet the lack of robust protective measures on these platforms—insufficient real‑time malware scanning, weak authentication, and limited monitoring of user activity—significantly raises their infection risk. In contrast, low‑tech phishing victims are mainly older adults, individuals with lower formal education, and those scoring poorly on digital‑literacy assessments. These groups are more susceptible to deceptive emails and phone calls, especially when spam filters, caller‑ID verification, or targeted awareness campaigns are absent.

A key finding across both models is the pivotal role of guardianship. Environments with weak protective oversight—e.g., services that do not enforce two‑factor authentication, lack up‑to‑date antivirus signatures, or provide inadequate staff training for call‑centre operators—exhibit markedly higher victimisation rates. Interaction effects show that high online activity can be protective if coupled with strong personal security practices, but becomes a liability when such practices are weak, amplifying exposure to high‑tech phishing attacks.

The authors argue that SCP strategies must move beyond the traditional focus on individual user education. Instead, responsibility should be shared with the owners and operators of virtual spaces. Policy recommendations include: (1) establishing national cyber‑hygiene standards that mandate baseline security controls for online platforms; (2) implementing a certification scheme for websites and apps that verifies the presence of real‑time malware detection, secure authentication, and continuous monitoring; (3) developing targeted outreach and rapid‑response support for vulnerable groups, particularly the elderly and those with limited digital skills. By shifting the preventive focus to the “guardians” of the digital environment, the study provides a nuanced roadmap for reducing phishing victimisation and enhancing overall cyber‑security resilience.